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Abstract 

Electronic cash is a subject of great economic, political, 
and research importance. With advances in computer 
networks, in processor speed, and in databases and with 
advances in note counterfeiting technology and with both 
individuals' and businesses* desire for remote and more 
convenient financial transactions, some forms of electronic 
cash are likely to become widespread within 5 to 10 years. 
While unconditionally anonymous electronic cash systems 
have been proposed in the literature, governmental and 
financial institutions are unwilling to back a completely 
anonymous system. Instead, they have proposed systems 
with little or no protection for the users' privacy. Their 
reasons for opposing complete untraceability have to do with 
the containment of user fraud and the desire to restrict the 
new kinds of crime that unrestricted remotely withdrawable 
and spendable electronic cash could facilitate. 

We introduce the first electronic cash systems which in- 
corporate trustee -based tracing but otherwise provabiy pro- 
tect user anonymity. We expand on the provabiy anony- 
mous electronic cash systems of [B93J and [FY92]. Our sys- 
tems maintain the previous papers 1 complete provable user 
anonymity except that, only with the cooperation of several 
publicly appointed trustees (key-escrow agents), the govern- 
ment can trace a user's spenaing with certainty, determining 
to whom the user gave his/her money and how much s/he 
gave. The trustees can answer the question of whether a 
particular payment was made by a particular user, without 
revealing any additional information. This allows for autho- 
rized forward and backward tracing that does not impinge 
on the privacy of anyone other than the parties of the one 
transaction in question. The trustee- based tracing requires 
no tamper- resistant hardware and can be implemented as 
either on-line or off-line systems. 

For those concerned about the trust ability of the 
trustees, we describe how a mutually distrustful government 
and user can construct an electronic trustee, a device which 
can be used in place of (or in addition to ) ordinary human 
trustees. This device, which does use tamper-resistant and 
tamper-detecting hardware, automatically alerts the user in 
case his/her secret stored by the trustee is released or com- 
promised. 

Furthermore, we introduce an on-line anonymous 
change-making protocol that is independent of trustee-based 
tracing. This protocol addresses a major stumbling block for 
anonymous cash systems: how a user can make an anony- 
mous purchase at a store when the user does not have cor- 
rect change. We are able to provide exact, perfectly anony- 
mous change, assuming a line of communication with a coin- 
minting facility. There is no need to determine on-line that 
the user's coins have not been spent before. 
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1 Introduction 

We present electronic cash systems that we believe can 
be put into practice. Our systems have the following 
properties: 

• The systems are reasonably acceptable to users who 
are concerned about invasion of their privacy. 

We envision that each individual is allowed to 
withdraw remotely a modest amount of completely 
untraceable electronic cash, say about $100, per 
day. Other completely untraceable cash would be 
withdrawn in-person from such places as an ATM 
or from a bank branch. 

• The systems are acceptable from the point of view 
of law enforcement and crime prevention. 

Aside from the completely untraceable money, each 
individual is allowed to withdraw remotely as much 
money as s/he has, from any location, in the form of 
trustee-iraceable electronic cash. This means that 
if law enforcement gets the trustees' approval, it 
can get from the trustees information to determine 
where a user has spent his/her trustee-traceable 
money. 

While it is possible for trustee-based systems to 
have an arbitrary number of trustees and for the 
trustee-based tracing to have an arbitrary positive 
access structure associated with it, for the sake of 
simplicity, the systems which we present in this 
extended abstract have two trustees, both of whom 
are required for a trace to be effective. 

The trustee-based tracing can be accomplished 
completely through cryptology and has no need for 
tamper- resistant hardware. It works as follows: 

When the user sets up his/her bank account, the 
user provides the trustees collective information 
which later would allow them to recognize the 
user's trustee-traceable coins. If a trace is ordered 
by the courts or authorized by the user, the trustees 
use their information to recognize payments involv- 
ing the user's money. This technique is described 
in section 3. 

• The systems address the major problem of the user 
trying to make a purchase without correct change 
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while maintaining (either unconditional or trustee- 
based) user anonymity. Our anonymous change- 
making protocol is on-line, in the sense that it re- 
quires that the user must be able to communicate 
anonymously with an electronic coin-minting fa- 
cility. However, unlike the solutions proposed in 
[Cha89], there is no need for the system to check, 
during the change-making transaction, that the 
user's coins have not been spent already. Our pro- 
tocol is independent of trustee-based tracing and 
can be used in either the context of a completely 
anonymous system or a trustee-based system. 

A privacy-minded user does not want to accept 
coins from a store as change because those coins 
might be traceable in a way not obvious to the 
user. Also, the user does not want to identify 
him/herself to the bank immediately before making 
the purchase because the bank could then associate 
the user with the store. The bank might make this 
association either by learning the user's physical 
location at the store via the user's communications 
or observing that the change-making happens close 
to the time that the store deposits the money the 
user gave it. Our protocol allows a user desiring 
correct change, but not wishing to reveal his/her 
identity to the bank, to exchange anonymously 
one set of coins for another set of coins of equal 
total value, but different denominations. The bank 
does not learn the user's identity, but the system's 
protection against multiple-spending of electronic 
money and other fraud remains intact. 

Furthermore, we note that no off-line, perfectly 
unlinkable, and efficient cash-divisibility scheme is 
possible. This is so in the following sense: if 
all the pieces of a divisible coin are information- 
theoretically unlinkable, then the total entropy of 
the coin (and the number of bits associated with the 
coin) must be proportional to the maximum num- 
ber of legitimately spendable pieces. Therefore, the 
only hope for creating unlinkable divisible coins is 
to put the user's privacy in terms of complexity 
assumptions. 

The security and privacy properties of our proto- 
col are based on the algebraic properties of a large 
subgroup of prime order q embedded in the multi- 
plicative group Z* , where p is a large prime. 

The systems are secure against counterfeiting and 
other fraud. We present one version of the system 
based on [B93], where the security is based on the 
existence of a collision-free hash function and the 
difficulty of finding discrete logarithms, and one 
version based on [FY92], where the security is based 



on the existence of a collision- free hash function and 
the difficulty of factoring as well as the difficulty of 
finding the discrete log. 

• The systems protect the user against false charges 
of spending electronic money. Even with the help 
of all the trustees, the government can not feasibly 
make the user appear to have made a payment s/he 
did not make. 

• The systems allow for the transferability of coins as 
described in [vA90] and [CP92]. Furthermore, the 
transfers can be made trustee- traceable. 

1.1 Previous Work, 

There is a great amount of literature on electronic 
cash. Previously proposed systems can be divided into 
two types: 

• Those that offer little privacy for the users of the 
system. These systems either neglect the privacy 
issue altogether or trust the banks, the government, 
or other central authority not to pry into users' 
financial dealings. 

• Privacy-protecting systems. These tend to be more 
difficult to design because they have to prevent 
the bank from learning too much about the user 
while still giving the bank power to prevent or 
detect fraud by the user. Most such systems use 
a concept called blind signatures which is due to 
Chaum [Cha83]. A blind signature scheme is a 
protocol in which the signer (the bank or the mint) 
signs a piece of information for the recipient (the 
electronic cash system user) without being aware 
of exactly which signature it is providing. The 
recipient obtains a signature but does not learn 
anything from the protocol which would enable him 
or her to sign other things. This type of signature 
scheme, when used in the context of electronic cash, 
enables the user to withdraw money from the bank, 
spend it at a store, and be confident that when the 
store deposits the money at the bank, the bank will 
not be able to recognize the money as the same 
cash given to the user. [CFN90], [0092], [FY92], 
and [B93] are examples of systems which employ 
blind signatures. 

So far, there are two basic blind signature schemes, 
one due to Chaum and Pedersen [CP93] and the 
other due to Chaum ([Cha85] and [Cha88]). 

[Cha85] and [Cha88] introduce a protocol based 
on the difficulty of computing cube roots modulo 
an RSA modulus N with unknown factorization. 
The idea is that the bank knows the factoriza- 
tion of the modulus and is able to compute pairs 
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(y, W(y) l/3 mod N) where H is a collision-free hash 
function. The user chooses random r,r mod N 
and sends r 3 7i(x) mod N to the bank. The bank 
sends rK(a:) 1 / 3 to the user who extracts the coin 
(xjT^r) 1 / 3 ) which is unknown to the bank. 

[CP93] introduces a protocol based on the difficulty 
of computing the discrete log of a number h mod 
p where p is a large prime. The bank sets h = g* 
mod p where g is a public generator. The bank then 
publicizes h but keeps x secret. The blind signature 
scheme is somewhat complicated and is presented 
as part of the protocols of subsection 3.2. 

Two previous techniques to deal with the prob- 
lem of providing change anonymously are due to 
Ohta and Okamoto [0092] and Eng and Okamoto 
[E094] who developed protocols which enable a 
user to split his or her coins into pieces and give dif- 
ferent stores different pieces. The trouble with their 
solution is that, while the bank may not know who 
withdrew the coin, the bank will recognize the dif- 
ferent pieces as belonging to the same coin. Thus, 
the pieces are linkable. 

1.2 Privacy, Kidnapping, Extortion, Lost 
Money, and other Issues. 

Due to space considerations, we defer the bulk of 
our discussion of these important but less technical 
issues to the full paper. One problem with previously 
proposed privacy-preserving electronic cash systems is 
that they make kidnapping and other forms of extortion 
more viable than with paper-based transactions (see 
[vSN92]). 

1.3 Organization of the Paper. 

In section 2, we define terms. 

In subsections 3.2 and 3.3, respectively, we incor- 
porate trustee- traceability into two previously published 
cash transaction systems. 

In section 4, we describe an electronic trustee which 
automatically alerts the user when s/he is being traced. 

In section 5, we present our solution to the problem 
of making a completely anonymous purchase when the 
user does not have correct change. 

2 Definitions 

We define terms that we'll use throughout the rest of 

the extended abstract. 

• U } the User or the User's card: The User is anyone 
who withdraws and spends electronic money. The 
User's card is a card constructed for and trusted 
by the user. It is the device with which s/he makes 
withdrawals, purchases, and reports transactions. 



TVu is a user ID which is associated with U . 

• B } the Bank: An institution which dispenses elec- 
tronic cash for withdrawal and accepts it for de- 
posit. The bank should not have the power to trace 
users' spending. 

• Trustee: A person or device that stores part of a 
secret which can be used to trace the user's financial 
transactions. 

• G, the Government: A regulator of the financial 
system. G should only be able to trace the users' 
money if G has the trustees' cooperation. 

• H: A collision-free hash function. 

3 Incorporating Trustee- based Tracing into the 
Cash Protocols 

We present means by which trustee-based tracing is di- 
rectly incorporated into the basic electronic cash proto- 
cols of Brands and Franklin- Yung. The tracing mech- 
anism is efficient and the user's card needs to con- 
verse with trustees only upon the set-up of his/her 
account. Furthermore, the trustee-based tracing re- 
quires no tamper-resistant hardware and, as long as 
the trustees do not cooperate in an attempt to trace 
the user's spending, the system preserves the security 
and complete anonymity of the original anonymous cash 
schemes. 

We note here that in the above- described systems, 
an answer to the question of where a user spent one of 
his/her electronic coins would involve a binary search 
over a potentially very large database of deposits. While 
they also have the advantage that they do not require 
tamper-resistant hardware and while they provide for 
the cryptographic tracing of double-spenders, we be- 
lieve that any acceptable general use offline system must 
prevent double-spending and that this will involve sta- 
tioning a tamper-resistant device in the user's electronic 
wallet. 

In the full paper, we consider a method of trustee- 
based tracing that is centered on a tamper-resistant 
observer. This has the advantage that there is no need 
for legitimate traces to access large databases. 

In the full paper, we describe two extensions that 
allow for the tracing of a user's financial transactions by 
trustees. Both of these extensions are centered around 
having the user send an encrypted version of his or 
her transaction records periodically to an Automatic 
Records Deposit Machine (AflVM ). The records are 
encrypted in such a way that it would require both 
trustees to decrypt them. The deposits of the records 
may be done remotely. 
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The first, more simple, extension is based on the 
idea that the user's wallet will be fabricated in a facility 
trusted by both the user and the government. 

In the second extension, there is no single de- 
vice which is trusted by both the user and the gov- 
ernment. Instead, the user builds his/her own card 
and the tamper-resistant government-trusted observer 
is stationed within it. 

3.1 Proving Combined Knowledge of a Repre- 
sentation. 

At various times in the protocols of subsection 3.2 
and 3.3, the trustees, TJ and T 2i will wish to show 
a third party (a verifier) that they have combined 
knowledge of a representation of some number n relative 
to generators yi><72« 



Proving Combined Knowledge of a 

Representation 
P\ and P 2 claim to have combined knowledge 

of a representation of h is terms of gi,g 2 . 
P, knows g\ x *g\ l *. P 2 knows g?' x g?-\ 
P\ proves knowledge of a representation of 



g\"#* to V. 



proves knowledge of a representation of 

g*™gl" to V. 
V checks that h = (pj 1 ' 1 ^ 1 '")^ 1 ^ 1 



The following protocol appears in [B93]: 



Proving Knowledge of a Representation 
(P knows y = ^i?2 3 .) 



P: compute w\ , w 2 €r Z q , z = gi*g% 3 



send z 1 (g u g 2 ) t y — > V '. 
send challenge c £r Z q — ► P. 
send rj = u/j + ca, mod(g) for i = 1,2 
check zy c = g\ x g r 2 . 



3.2 Incorporating Trustee-based Tracing into 
Brands 9 Protocols. 

We describe a modification of Brands* protocols 
which allows for trustee-based tracing. There is no 
need for any tamper- resistant devices or any inconve- 
nience to the user. The security of all parties is based 
only on cryptographic assumptions. The trustees 
participate in an interactive process during the account 
Set — Up protocol, when they conduct proofs of knowl- 
edge of a representation for each value /* (k indexes the 
coin withdrawn by the user and each coin has a different 
value /*). 



Let p, q be large primes such that q \(p — 1) and let 
9 C Z* be the subgroup of order q. Let g, 91, g 2 , 03, 94, d 
be generators of Q randomly chosen by the bank. 

The values h{ = g ai are information published by 
the bank for verifying the authenticity of the electronic 
coins, where the index i refers to the coin's denomina- 
tion. Knowledge of a,- allows the bank to mint coins of 
denomination i. 

The set-up, withdrawal, and payment protocols 
are extensions of Brands' basic set-up, withdrawal and 
payment protocols. 

In the new set-up protocol, the user gives the 
trustees information which would allow them to link 
any payment involving each coin to its withdrawal. 
This information is the combined knowledge of £Ts 
representation of the value /* = gZ*' k g2*' k > The 
trustees prove to the government that they know a 
epresentation for /*. 



Set-Up- With- Trustees 

U: generate random ui,i*2 and 
send Iu = 9i x 9¥ ~ 

B: associate Ik with U's identity, 1V U , 
choose random Q{ for each coin 
denomination i and broadcast g,h{ = g a * . 

Let TV be an upper bound on the number 
of coins which U will withdraw. 

U: choose {73 t k,1f4>k}k=i €r Z q . 
For each k, randomly split 
73,* =** 1 + *2,1»74,* = «f ,2 + 4,2 ^d (q) 
send sf (1 ,sf |2 — >Ti, s^ it s^ 2 — ► T 2 . 
For each k t send = g^*'* 94*'* — * 

For each k, trustees T\ and T 2 prove 

combined knowledge of a representation 
of fk to B relative to g 3 and g 4 . 



The new withdrawal protocol is very similar to the 
protocol of [B93] except that m = Iudfk- 

The underlying idea of Brand's protocol is that 
B provides U with a blind signature that is a tu- 
ple (v4, B,z' ,0! ,V y). This tuple satisfies the equa- 
tions g r = h*<mV,«\* , .-A) 0 ' mod(p) and m' r ' = 
z ,W(mV,a\6',A) 6 , mod ( p ) IfHisa collision- free hash 
function, it is believed to be hard to create a tuple of this 
form without finding the discrete log of h (see [B93]). 
Furthermore, because the signature is blinded, the tu- 
ple is uniformly distributed among all such tuples when 
one is given only the bank's view of the conversation. 
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Withdrawal- With- Trustees (for denom. 0 
(lor U*s kth withdrawal). Let h = Ai,a = a,-. 
U\ prove knowledge of a representation 

of l u = 0? l 0 2 a mod(p) to 5 
£: choose w €r Z g and set m = Iudfk . 

send * = m°,a = p"\6 = — >U, 
U\ choose s €r Z* , set m' = rn J , = z* , 
choose xi, 22,^4. *5 €r Z q9 set 

yi = uis -x u y 2 = u 2 s-x 2 mod($), 
V4 = 74,fcS - *3, !/5 = <s - *s mod(g) , 
let A-ppppj?-^** 

choose u,v Sr Z* , set a' = a u ^ v , 
V = ft"(m') ,, l C* =7{(m' ) z' i a\b',A) f 

send c = c'/u — ► B. 
B\ send r = ac+w mod(g) — ► 
U: verily <j r = a c a,m r = mod(j>), 

set r' = ru + v mod(p) , 

set. sign B (A,B) = (z ; , a', 6', r'). 



In the new payment protocol, the user is forced to 
reveal the value r 3 = 73,*s- Later, if the trustees give 
the government the value 73,* from the execution of 
the withdrawal protocol and the government has the 
values m',r3 = 73^5 from an execution of a payment 
protocol, then the government can compute s and Iud = 
m fS //jt mod (p), thereby linking the payment with the 
withdrawal. 



In the deposit protocol, the store S sends a tran- 
script of the payment protocol to both the bank B and 
the government G. 

The procedure which the government can use to 
trace multiple spenders is the same as that in Brands* 
basic protocols and included here for completeness. 



Tracing Multiple Spenders 

The hank B has records of a coin spent 

two times, with two different 

challenges, /?,/?'. 
To identify the user, B uses the two 

sets of responses (ri i r 2l rs) and (r^r^r^). 
B: compute z 2 = jrjrS z\ = r 3 - 0z 2i 8 = z\ + z 2i 

*2 = TTT^.Zl = ri -/?X2,U! = Xi -f X 2| 

V2 = jz$,Vi = r 2 -Py 2 ,u 2 = y l +y 2 Ju = 9i 1 9 2 7 . 

When presented with a court order, the trustees will 
provide the government means to trace user U. 

In the second protocol, the trustees don't give the 
government the value 73,1b. Instead, they determine only 

whether m' ra = (Iudfk) y * tk hy attempting to prove 
knowledge of a representation of Iudfk in terms of the 
single generator m' rs 

Trace- Wit h-Trus tees 

Government G: ask T\ and T 2 for all sets of 
withdrawal values {st,j}i,je{i,2} user; U . 
For all withdrawals, compute 

73,* = +$1,2 mod (q) 

Search the database of payment transcripts 

for m' 1 * 3 " 1 = (Iu4fk) y ^ . 
If so, that is i/'s coin. 



Trace- One- Payment 

The government G wants to know whether a 
particular payment was made by a user U . 

Let { fi ij}«=l,2tf=l p 2,*=l..JV be the shares given by W 
to Ti and T 2 during the user's N 
executions of the withdrawal protocol. 

G: obtain a court signature for 
the payment in question, 
send m'^ZtlutSigncim^rsJu) — > T\ and T 2 . 

T\ and T 2 : For each value, attempt to prove 
combined knowledge of a representation of 

Iudf k relative to m'^ 3 "' mod ( «». 
using their knowledge of s* (1 and s* 2 
G: If Ti and T 2 succeed, assumes that the coin 
involving m' was spent by U. 

Lemma 3.1. The above protocols satisfy the follow- 
ing properties: 

1. They preserve the protections of [B93] against 
counterfeiting and multiple spending. 

2. The values A, B, z\ a', 6', r', ri i r 2i r 3j r 4 ,r 5i c ap- 
pearing in the payments of a user's coins are com- 
pletely independent from the values Jtf./fc,w,m, 



Payment- With- Trustees 

U: send A } B y sign 3 {A, B) = (*', a', b\ r'), 

r3 = 73,*s mod(g) — ► 5. 
5: verify that AB £ 1, verify $ign B (A> B) , 

send ci = H{lV s ,time } r 3 , A, B) — ► 
: send r x = x x + ciyi mod(g), r 2 = x 2 + ciy 2 , 

r 4 = X4+ciy 4 ,r 5 = X5 + ciy 5 — ► 5. 
5: verify g[ l g? g? 9? dT* = AB C > mod(p). 



462 



Brickell et al. 



2,a,6,c, r, (and the values appearing in the 
trustees* proof of knowledge of a representation of 
fk) appearing in the user's withdrawals. Therefore, 
without help from all the trustees, the user's cash 
is information- theoretically anonymous. 

If the user can not forge Schnorr signatures and if 
the hash function, H, is designed correctly, then it 
is infeasible for the user to prevent the trustees from 
linking his/her withdrawals to his/her payments. 



4. If the user does not reveal the representation I u = 
9\ l 92*> ^ en government, even with the help 
of all the trustees, could successfully claim thai an 
honest user made a payment s/he did not make 
only if the government or the trustees can compute 
discrete logs. 

5. If there is a legitimate payment such that an hon- 
est government G is able to link withdrawals from 
both user U and user U to that payment, then 
U and U can combine their information to get a 
non-trivial representation of 1 relative to genera- 
tors gx,g 2i 94>d- This means that dishonest users 
cannot create false links between withdrawals and 
payments. 

See Appendix A for the proof. 

3.3 Incorporating Trustee-based Tracing into 
the Franklin And Yung-type Protocols. 

The trustee-based tracing relies on the user encod- 
ing information to unlock the secrets of his/her coin in 
the coin released during the withdrawal protocol. This 
information is encoded using public keys E\,E 2 , whose 
private key counterparts are known to trustees T\ and 
T2 respectively. 

Let U be the user, S be a shop, B be the bank, G 
be the government, and T\>T 2 be trustees. T\ knows 
private key 0 L and publicizes public key E\ . T2 knows 
private key ©2 and publicizes public key E 2 . Let 
© = 0j O0 2 . B and G know the factorization n = qiq 2 . 



Set-Up-With-Trustees 

B: publish large primes p, q such that 
q divides p — 1 , g G Z* of order q , and 
an RSA modulus n whose factors B knows 



The withdrawal protocol employs a technique called 
"cut and choose." In the process of acquiring an 
electronic coin, the user presents k randomized tuples 
to the bank. The bank selects Jb/2 of these tuples 
randomly and asks the user to show that they are 
properly constructed. The remaining | tuples are used 



to create the coin. For each tuple, the user provides 
information that would allow for a trace. If the user 
cooperates on at leat 3/4 of the tuples, a trace can be 
done. 



Withdrawal- With- Trustees 
U: prove identity to B (and sign all 
subsequent messages), choose k tuples 

(n,au,a 2 i =rP w /a u mod(g), 

Ei(u Ui U2i), E 2 {vu y V2i)) 
where for i G [1 . . .*], r g £ R Z* i u Ui u 2 i £r Z q 
and 111,- + vu = an, u 2 i + v 2 { = a 2 i, 
send {r?H(g au mod(p)\\g a2i mod(p)) mod(n); 

^l(Ul.,W2.),^2(Vli,V 2 t)}?=l — "B. 



B: send L C {1 ...*}, |L| = 

U: send {(r», a U) a 2 i, uh, w 2 », fi»> v 2 i)}«eL — >B. 

B\ For all i Gi, j = 1,2, verify that 
IVu = au<*2i, dji = Uji + Vji , verify that 
{rfH(g au mod(p)||0°* mod(p)) mod(n); 

Ei(u u ,u 2i ), E 2 {vu i V2i)}ieL 
is formed correctly, and send 
n <g r(r?ft(s fl1 ' mod(p)||$«" mod(p)))i mod(n) 
—+U 

U\ compute 

n i6l («(0 Bl ' mod(p)||0 fl3 « mod(p)))* mod(n) 



Payment -With- Trustees 

U wants to spend a coin at C shop 5: 

C=II t . 6r (W' mod(p)||0«* mod(p))) 1 / 3 mod(n), 
{x = {lV s \\time)}, 

{g a ^ mod(p),0 aa ' mod(p), y,- = aux -r a 2 i mod(q)) ie j; 
U: send C — ► S. 

S: accept iff the coin signature is correct, 
x is correct and not repeated, 

and Vi el. 9 Vi = (g* u )*g* 7i mod(p). 



In the deposit protocol, the store S sends a tran- 
script of the payment protocol to both the bank B and 
the government G. 
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Tracing Double Spenders 
We have two coins spent: 

c = ^rtw^ w(p)||p-» w(p))) l /» 

{x = (XVs\\time)} t {g a ^mod(p) i g a ^mod(p) t 

c = n l€r (w(^»w(p)||g-»w(p))) l /3. 

{*' = (ZZ>*/||*ime')}, {^ 0li mod(p),y a ^mod(p), 

G: can solve for {aii t a 2i } ieIl 

Compute 1V U = Major#y({ai,a2»} i6 2;) 



Tracing with Trustees 

T\>Ti\ For the appropriate withdrawals, 
send {til*, u 2 i} lG I, f2i}, € r — > * ■ 

G: compute supposed values {g au , g a * x ) i6 £ . 
For each withdrawal, try to match the 
supposed {g au 9 a ^} ie x values with the 
supposed {g au 9 a2i } ie i; values of the 
deposits. 

If able to match more than half the 
values, assume that the coin of the 
withdrawal is the same coin as the 
coin of the deposit. 



We also have a protocol, Trace-One-Payment, 
which will appear in the full version of the paper. 

Lemma 3.2. The above protocols satisfy the follow- 
ing properties: 

1. They preserve the protections of [FY92] against 
counterfeiting and multiple spending. 

2. We assume that finding discrete logs modulo p and 
inverting E\, E 2 is hard. Then the value 

C = n <6l (W« mod(p)\\ 9 *" modip))) 1 ' 3 mod(n) } 

{x = [lV s \\time)} i 

{g ait mod(p),g a:,i mod{p), Vi = a u x + a 2 i} ieI 

appearing in the payments of a user's coins can not 
be linked to the values 

{rM9 au rnod{p)\\g^mod{p)y % 

Ei(u Ui u 2 i) i E 2 (v Ui v 2 i)}i = i 

{(ri i a lil a 2 i 1 uu, u 2 i, v Ut v2i)}ieL 

{«H>U2f}f € 7 or {fK,v 2 <} <€r 

appearing in the user's withdrawals (combined with 
the records of one trustee) by any polynomial time 



machine. Therefore, without help from both the 
trustees, the user's cash is computationly anony- 
mous. 

3. If the user does not cheat in the withdrawal or 
payment protocols, then in protocols Trace-with- 
Trustees and Trace- One- Payment, any coin 
withdrawal would be linked to its payment with 
probability 1. 

4^ If the government is unable to find discrete logs 
modulo p and is unable to break U's signature 
scheme, then it is infeasible for the government 
(even with the help of all the trustees) to success- 
fully claim that the user made a payment s/he did 
not make. 

The proof appears in the full paper. 
4 The Electronic Trustee 

By distributing the power to trace, the trustee-based 
cash systems described above are designed to improve 
public confidence in the privacy preservation goals of the 
electronic cash systems, while assuring the government 
that it can reliably monitor suspected criminal activity 
under court order. One trouble with relying solely on 
human trustees is that it is seemingly impossible to 
guard against the case where all the trustees misbehave 
and conspire with a corrupt government to trace the 
spending habits of honest citizens. In this section, we 
discuss a solution which guarantees the innocent user at 
least notification that s/he is being traced, even if the 
government and all human trustees conspire against the 
user. 

We describe an electronic trustee in which both the 
government and the user may feel confident in placing 
their faith. We discuss the trustee in terms of electronic 
cash, but a similar trustee could be used in the context 
of other key-escrow systems. 

For concreteness, we restrict the discussion here to 
the example of subsection 3.3. 

The guarantees we desire for the two sides are as 
follows: 

• The user wants to be sure that if s/he is being 
traced, then the user will be notified of this fact 
within some specified amount of time. 

• The government wants to be certain that it can 
access each share of the user's key, as held by an 
electronic trustee. 

Our solution requires both parties to build sepa- 
rately a different part of a two-part electronic trustee. 

The government builds the inner part of the elec- 
tronic trustee without knowledge of the eventual user 
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corresponding to the electronic trustee. This part must 
be read-proof against the user. We envision that the 
entire inner, part may be embedded in the latest high- 
tech tarn per- resistant material. By read-proof, we mean 
specifically that the user cannot alter any component 
of the inner part without erasing the inner part's se- 
cret signature key, Sig^ } and that the user cannot read 
the value of Sig^* The government extracts the cor- 
responding value of Sigj> from the inner part prior to 
surrendering control of the inner part to the user. 

In addition to securely maintaining Sig^ , the inner 
part accepts as input the private key, &t , of trustee T 
into a register which can be loaded exactly once by the 
outer pari and is non-erasable, but readable. This is the 
register which the government will need to read from 
each electronic trustee to enable a trace of the user's 
spending. In order to ensure a match between the value 
of 0t, as held by the electronic trustee after installation 
by the user of the outer part, and the circulated value 
of Er, certain precautions must be taken: 
After verifying that 0^ = Et~ 1 (for the supplied or 
computed value of Et) } Sig^{E>r) is generated by the 
inner part, where no value Et , distinct from the value 
of Et for which the corresponding value of Qt is loaded 
into permanent memory, will be signed. To verify 
that the user has placed the intact inner part inside 
the electronic trustee, random challenges to be signed 
using Si§j> are administered by the government, and are 
limited in number to the preset value in the inner part. 

The outer part of the trustee, built by the user 
(or his/her specified vendor), monitors the output of 
the Sig^ function, and controls transmissions off the 
electronic trustee, in order to eliminate leakage with 
respect to the value of ©7. 

In order to electronically notify the user if an 
attempt has been made to recover the value of 0^ from 
the electronic trustee, while protecting the government 
from false claims of unauthorized access to 6r> the 
following procedure is specified: 

The outer part generates a pulse key pair, 
(Kpu(se^,Kpulse^,) i where the public key Kpulse%, is 
registered with a third party prior to deployment of the 
electronic trustee. Kpuisefp is used to sign periodic se- 
quenced messages (verifiable using Kpulsefp) which ef- 
fectively affirm that no attempt has been made to re- 
trieve @t > since the user can implement the outer part 
so that Kpulsefp is automatically erased upon intrusion 
of the electronic trustee. After the government is satis- 
fied that nothing has been introduced into the outer 
part which can later obliterate ©t from the retriev- 
able memory of the inner part, the electronic trustee 
is coated (under user and government supervision). It 
is in the user's (legitimate) interest to apply a coating 



which alters upon tampering, and is impossible to re- 
produce exactly, or to predetermine. The government 
assures itself that the outer part and the coating are 
constructed so that the coating can't be modified spon- 
taneously or from within. A digitization of the coating 
is signed by the outer part's Kpulse s T key, where the 
user can design and implement the Kpuhe* T function 
so as to thereafter accept only internally generated in- 
puts. Alternatively, the digitized value of the coating 
is (physically) signed by the user or his/her legal rep- 
resentative. The signed version of the coating value is 
supplied to the government. The electronic trustee is, 
from then on, held securely under government control. 

5 Adding Anonymous Change- making 

We address the problem of the user U wishing to make 
an anonymous purchase from a store S but having 
incorrect change. We assume that the store has a 
computer link to a bank B but that the user does not 
wish to identify him/herself to the bank to prevent the 
bank from associating him or her with the store. We 
assume that the user has Y dollars in coins and wishes 
to make a purchase worth X < Y dollars. 

We present a protocol which allows a user U to 
present anonymously a set of coins worth Y dollars to 
the bank B and receive in return another set of coins 
also worth Y dollars, but in different denominations. 
The user chooses the denominations in such a way that 
the he or she can combine coins to get X dollars. 



Getting Anonymous Change 

U wishes to give B Y dollars in coins and 
receive Y dollars in coins of different 
denominations . 

U\ use the payment protocol to pay the Y 
dollars in coins to bank B (without 
revealing XVu) and tell B the desired 
denominations of the change. 

B: check that the requested coins total Y 
dollars. Let vnf old be a value from one of 
the coins that U just paid. For every 
coin to be given out as change, B 
uses the appropriate value of h{. 

For complete anonymity, B and U use value 
m ntw = m f old for each new coin withdrawn. 

For trustee-based tracing, U generates a 
new value f new = gl 9 g1 4 for each new 
coin and sends the trustees shares 
of 73,74. U and B use value 
m ntw = m f old fnew i» the withdrawal 
of that coin. 



Trustee-based Tracing for Electronic Cash / Making Anonymous Change 
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LEMMA 5.1. The above protocol, when added to ei- 
ther Brands' basic protocols or to the trustee-based sys- 
tem of subsection 3.2, maintains the following proper- 
ties: 

1. The augmented system is secure against user coun- 
terfeiting and multiple spending. 

2. Without help from all the trustees, the values ap- 
pearing in the payments of a user's coins are com- 
pletely independent from the values appearing in the 
user's withdrawals. 

3. If we use the trustee- based system of subsection 3.2, 
then the trustees can combine their information and 
trace both the user's original coins and the coins 
given as change. 

See Appendix A for the proof. 

6 Conclusions and Open Problems 

In this extended abstract, we have addressed several im- 
portant issues for an electronic cash system. We have 
presented the outline of a system which is feasible, se- 
cure against criminal attack, and still largely acceptable 
to users who are concerned about excessive invasion of 
their privacy. The system which we haved proposed 
has the benefits of previously proposed electronic cash 
systems as well as other benefits, including the preven- 
tion of certain types of crime, and an efficient, privacy- 
maintaining solution of the anonymous change problem. 

One topic which deserves further investigation is the 
anonymous change problem. In this extended abstract, 
we presented a way in which a user might make an 
anonymous $1 purchase with a $2 coin at a store 
that has a line of communication to a minting facility. 
However, if the store does not have this communication 
capability, the problem remains open. The solutions 
of [0092] and [E094] come close, but the parts of the 
divisible coin are linkable. We argued in this extended 
abstract that any off-line, unlinkable solution must base 
the user's anonymity on complexity assumptions. [W92] 
discusses a way it could be done using zero-knowledge 
proofs, but these proofs may not be feasible for the user 
to carry out in practice. 
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Appendix A: Proofs 

Proof, (of lemma 3.1) (sketch) 
The new protocols satisfy the following properties: 
1. The form of the bank's blind signature has not been 
altered and the bank reveals no more information 
than it did in Brands' basic protocols. Therefore, 
the proof of proposition 7 of [B93b] goes through, 
and, assuming that it is infeasible to existentially 
forge Schnorr signatures, the new system is secure 
against counterfeiting. 

The proof relating to the traceability of multiple 
spenders goes through as it does for Brands' orig- 
inal protocols. The only difference is that now 
we assume that the user is unable to find a non- 
trivial representation of 1 relative to generators 
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01i02,93i04i9- If U spends a coin twice, the bank 
will be able to deduce the value of s correspond- 
ing to that coin and use that value to deduce 
«i,« 2j / w = 9i l 92 3 - 

2. The proof of this statement is similar to the proof 
of the corresponding statement for Brands' basic 
protocols (see [Btr93]). 

3. Proof to appear in the full paper. 

4. Proof to appear in the full paper. 

5. Suppose G mistakenly identifies user Z's money as 
J's. Let d be the denomination of J's coin. Let 
f 'k = 03 5 '*04 4 '* De ^ >s random value. Let s be the 
first random value which / chose for the coin in the 
withdrawal protocol. Let U\>U2 be the exponents 
in 7*8 known representation. 

Then: 

W* = (™' r; >' fc 

So 

This yields the following representation of 1: 

73,* 73,* 73,* %K 73,* 

This representation is non-trivial if 73^ ^ 7 3 £ or 
74 jt ^ 7 4 £ or Ui / tii or «2 ^ For distinct 
users, the bank will demand that Iy 1$. If 
U = U % the bank will demand that ^ ie 
for a given user, the bank will demand that all the 
/jb values are distinct. 

Proof, (of lemma 5.1) 
1. Without loss of generality, we assume that we are 
augmenting a trustee-based system. The com- 
pletely anonymous system is simpler. 

We divide the user's coins up into the old coins (Y 
dollars worth) given by the user to the bank and 
the new coins (Y dollars worth) given in return by 
the bank to the user. 

We can assume that the user can not feasibly 
double-spend the old coins. This is so because 



we already know that the user can not double- 
spend coins s/he will withdraw using the regular 
withdrawal protocol and we will also show that s/he 
can not double-spend the new coins. 

Let the following coin withdrawal and payment 
values correspond to an old coin used to form 
the new coins. We assume at first that the old 
coin is withdrawn using the Withdrawal- With* 
Trustees protocol where U proves his/her identity 
to B. 

/*,m = I u df ky s,rri = m* = (J w d/*)' 
We consider the following new coin with values: 



m new * = (m new y n "° = ((IudhY 
Ws representation of m ncw ' is = 

9\ 9i 9z 9a a 

If U does spend the new coin more than once, then 
s/he will reveal the value ss new and the bank can 
deduce u\ 1 U2 t Iu = 9\ l 92*- Therefore, U can not 
effectively double-spend the new coin. 

If the old coin was itself a coin obtained from 
the anonymous change protocol, then the user's 
knowledge of the new coin will have the form: 

where the values {sj}j are from the original with- 
drawal and the times the user obtained anonymous 
change and the values 63 , 64 are computed by the 
user. 

If U double-spent this coin, B could deduce 

2. This proof is similar to those for the corresponding 
statements for Brands' basic system and for the 
system presented in subsection 3.2. 

3. To answer the question of whether U made a 
particular payment, the trustees trace the user's 
original withdrawals (when the user proved his/her 
identity to the bank) to the executions of the 
anonymous change protocols. Then the trustees 
trace the new coins from the anonymous change 
protocols using the value 73,*$ + 73"" '. 



